Spyware and malware are problematic for consumers and organizations. Despite attempting to block malicious software (malware), individuals and businesses continue to get infected, suffering substantial financial losses due to data stolen from their systems. The problem is very sensitive to the public. In fact, a data breach that involves spyware or other types of malware can put an organization out of business when it leaks trade secrets or sensitive data whose disclosure can lead to fines or other penalties. Furthermore, recovering from a malware infection is very costly, and can involve the need to hire forensic investigators and to buy new computing devices.
Malicious software attempts to evade detection of anti-virus software and other anti-malware software using a variety of means. As a result, it has become impractical to rely solely on anti-malware tools and other traditional security mechanisms to resist malware infections.
One way in which malicious software can steal sensitive data involves extracting such data from runtime memory of the compromised system or device. For example, such “memory scraping” techniques have been used to steal card data (debit, credit, gift, etc.) from infected Point-Of-Sale (POS) systems. Such malware scans memory for data that resembles the format of the data it is designed to steal, such as magnetic card data stored in memory by a POS application. Alternatively, the malware monitors the applications that produce or use the card data, attempting to intercept the data when the applications pass, write, or transmit it.
Thus, despite encrypting sensitive data during storage and transit, applications that need to process the data need to temporarily store it in memory in a decrypted form. This brief window of time presents malware with an opportunity to capture the data. Such memory scraping techniques were used in numerous POS breaches with the help of malicious tools such as Dexter, ChewBacca, and BlackPOS to the detriment of the affected organizations and their customers.
These breaches have occurred even though many of the affected organizations deployed traditional security mechanisms, such as antivirus software and firewalls. It may be impractical or costly to prevent the act of memory scraping without re-architecting the affected applications and the ecosystem within which they operate. However, if the organization could detect the presence of such malware early, the organization may shorten its incident response time and minimize losses.
Memory-scraping malware repeatedly enumerates local processes to locate the targeted application. It then reads the application's runtime memory to locate a pattern that matches the desired data. Some malicious programs only look at memory of processes that possesses the desired characteristics, while others are less discriminate, examining memory of all running processes. More sophisticated memory-scraping malware avoids reading the memory on its own; instead, it stealthily modifies (“hooks”) the targeted application, so the malware can observe the legitimate application accessing or otherwise processing the sensitive data.
Therefore, there is a need for improved detection of memory-scraping malware.